HomeUncategorizedLimit which local users can use postfix

Limit which local users can use postfix

Software Effect Enterprises, Inc Posted on by

Compromised web sites can be used to relay spam email. To limit that or track which web sites are being used to send spam, you can limit which users can us sendmail, you can do the following. As root:

  • Create a file /etc/postfix/sendmailAllowedUsers, put 
    user OK

    on a line for each allowed user. (I put one line in my file “root OK”  so only root can use sendmail)

  • run 
    postmap /etc/postfix/sendmailAllowedUsers
  • Add the line 
    authorized_submit_users = hash:/etc/postfix/sendmailAllowedUsers

    to /etc/postfix/main.cf

  • run 
    postfix reload

Only the users in the sendmailAllowedUsers file will be able to send email

If your web sites need to be able to send mail:

  • Create user accounts for each web site. You can use the same account that is set up for the user to ftp their web site in place
  • yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-sql
  • If you are using Centos 7 execute 
    systemctl enable saslauthd && systemctl start saslauthd
  • If you are using Centos 6 execute 
    chkconfig saslauthd on && service saslauthd start
  • Add the following line to main.cf
  • smtpd_sasl_auth_enable = yes
  • run 
    postfix reload

Now, the users can connect to the SMTP server running on 127.0.0.1 port 25 – and they will have to authenticate to send email. The server administrator will be able to track who is sending email by looking at the /var/log/maillog

Options 1

Allow relaying from external users. Change the line in /etc/postfix/main.cf

inet_interfaces = localhost

to read

inet_interfaces = all

Optional 2

Add the following to the end of main.cf

smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1

Errors – Resolutions

Postfix wont restart and you get the following in /var/log/messages

sql_select option missing
auxpropfunc error no mechanism available

fix

rpm -e cyrus-sasl-sql 
rpm -e cyrus-sasl-ldap
systemctl restart postfix

 

 

 

Comments are closed.